How is a TOTP not secure? It’s a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.
Evil.com relays TOTP to Good.com and does a complete account takeover
The various physical dongles prevent this by using the asking domain as part of the hash. If you activated the dongle on Evil.com, it’ll do nothing on Good.com (except hopefully alerting the SOC at Good.com about a compromised username and password pair).
How is a TOTP not secure? It’s a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.
The attack vector is as follows:
The various physical dongles prevent this by using the asking domain as part of the hash. If you activated the dongle on Evil.com, it’ll do nothing on Good.com (except hopefully alerting the SOC at Good.com about a compromised username and password pair).